The crypt() function performs password
hashing. Additional code has been added to deter key search attempts and to
use stronger hashing algorithms.

The first argument to crypt() is a
NUL-terminated string key, typically a user's
typed password. The second, setting,
currently supports a single form. If it begins with a string character
(‘$’) and a number then a different
algorithm is used depending on the number. At the moment
‘$2’ chooses Blowfish hashing; see below
for more information.

The Blowfish version of crypt has 128 bits of
salt in order to make building dictionaries
of common passwords space consuming. The initial state of the Blowfish cipher
is expanded using the salt and the
password repeating the process a variable
number of rounds, which is encoded in the password string. The maximum
password length is 72. The final Blowfish password entry is created by
encrypting the string

“OrpheanBeholderScryDoubt”

with the Blowfish state 64 times.

The version number, the logarithm of the number of rounds and the concatenation
of salt and hashed password are separated by the
‘$’ character. An encoded
‘8’ would specify 256 rounds. A valid Blowfish password looks
like this:

“$2b$12$FPWWO2RJ3CK4FINTw0Hi8OiPKJcX653gzSS.jqltHFMxyDmmQ0Hqq”.

The whole Blowfish password string is passed as
setting for interpretation.